David caught my attention when he explained that the most important part of their approach is to empower users to take full advantage of their systems. He qualified this with the example that while you could probably use their equipment, in particular their Intrusion Prevention System, or IPS, out of the box, you wouldn’t be taking full advantage of the power in the device.

This struck me as a very interesting take on the user education system.

As part of my day job, I work with IPS systems. In fact, I have evaluated, implemented and operated a few solutions from different vendors.  One vendor in particular collects comprehensive statistics anonymously (from their opt in system) and publishes them for review on their site. They show that 60-70% of all of their end users use their IPS filters on the ‘Recommended’ settings, meaning without any modification from the vendor-produced filters.

In Cisco’s view, this would suggest that users of the other Vendor systems aren’t taking full advantage of their appliances.

So who is right?

We’ve all heard it, that “the user” doesn’t know what they’re doing, that the less power we give them, the better. In that case, wouldn’t it make more sense for the company with a full team designing and analyzing filters and threats to develop and maintain the IPS in a User’s network than for the User itself?

After all, if a device ships with the setting in place to auto-apply updates from the vendor, then the vendor can have significant control over the client network. Add filters when a new threat pops up, and in a few months, once the threat dies down, just recommend the disabling of that filter since the user no longer needs it. Minimal involvement on the user’s part, and they’re likely protected better than they could have done on their own.

But is that more beneficial to the user than education?

I point towards Michael’s Awareness That Works™. What if, instead of assuming the User is a lesser life form that has no idea how to properly secure their network, we assume that they’re just uninformed? You don’t call someone an idiot when they can’t spell a word or speak your language; you educate them instead. Why should we treat Network Security any different? We in the industry use acronyms, tools, and words that are often referred to as another language. Heck, we are proud when we say that we think in a way contrary to the average user. But how is that different than if I were to say I was better than a German, since I speak English?

It seems Cisco is on the right track, maybe we could learn something from their ideas.

What do you think? How do we strike the balance between providing solutions that help get the job done while educating people to really use the tools to their maximum advantage?